AN OVERVIEW FOR MAC, IPAD AND IPHONE

Basics of Apple Device Security SMALL BUSINESS A well-planned cyberattack or an accidental download of 2 malware can mean the difference between a productive day and all work grinding to a halt. As hackers get more sophisticated, organizations concerned about their bottom line and security of their customer, employee or student data must stay on top of security.

This guide is for anyone that has been tasked with

Apple security concerns, like all IT security concerns, are real. managing Apple devices in your organization and wants to get serious about their organizational While Apple has invested a great deal in its security features security of their Apple devices, and offers basic and has rapidly become the leader in device and data privacy information for newcomers or a simple refresher for and security, no operating system is immune to security Apple management veterans. challenges.

This means that administrators must not only respond quickly to security issues, but also proactively guard against them. 3 The basic building blocks

Several factors work together to ensure the security of your organization’s hardware and data, and you can break them down into six main areas:

Securing devices Apple native security Data encryption Keeping your physical devices Security systems already built-in The basics of encrypting data at Introduction secure and protecting those to macOS, iOS and iPadOS rest and data in transit using them

to Apple Page 4 Page 7 Page 6 Security

Compliance Secure monitoring Application security deployments and patching Monitoring devices to pinpoint Deploying with the highest level needed updates Keeping up-to-date software of security available

Page 8 Page 9 Page 11 4 Building Block One: Apple Native Security

How to make the most of them with device management

Security features already built in to macOS (operating system for Mac) amd iOS (operating system for iPhone) and iPadOS (operating system for iPad) are extensive and come with several benefits:

Apple operating systems are based on a UNIX foundation, a very well-researched and developed foundation with excellent stability

Strong OS security framework

Device security in the form of locking and device finders

Ability to implement and configure security controls through configuration options via mobile device management (MDM)

An MDM solution can take these existing security configurations and deploy (and enforce) them to a large group of devices. So, you can set up not only one Mac or iPad securely, but thousands.

You also have more expansive security controls with an MDM tool that can lock and wipe devices that are lost or removed from the facility. 5 Security feature details

Native security features for macOS, iOS and iPadOS

macOS Security Features iOS Security Features iPadOS Security Features

1

Software System Integrity Gatekeeper Software Secure System App Store Software Secure System App Store Updates Protection (SIP) Updates Updates

App Store FileVault XProtect Touch ID Hardware App Touch ID Hardware App Encryption Encryption Sandboxing Encryption Sandboxing

App Sandboxing Privacy Settings Privacy Supervision Remote device Privacy Supervision finder for lost devices 6 Building Block Two: Securing Devices

Tracking, securing and protecting devices and users Securing or restricting devices manually:

One of the simplest ways to damage an organization’s security or to compromise end-user’s safety is through access to a single Mac iPad and iPhone device. Whether your organization serves healthcare workers, remote staff, retail floor employees or frequent travelers — at any Require passwords on all devices Require passwords on all devices given moment your devices could be in twenty different places.  Enable Find My Mac through System Enable Find My Phone through System Lost or stolen devices Preferences > iCloud Preferences > iCloud  Depend on individual user to be able to sign Depend on individual user to be able to A lost or stolen iPad, iPhone or Mac isn’t just a financial loss: into iCloud and remember password sign into iCloud and remember password it’s a huge security risk. The damage can be incalculable: a Track all Mac serial numbers Report to Apple online if a device has thief manages to find private student data from a lost laptop or Report to Apple online if a device has been been lost or stolen accesses the entire organization’s database from that laptop. A lost or stolen Enable parental controls on an individual former employee who still has her work laptop making private  Enable parental controls on the device to device, creating different accounts for information public or offering it to competitors. Even a malware block websites (Only affects Safari browser) each device introduction from a remote source.  Set and deploy all Restrictions and security  Set and deploy all Restrictions and features from first use or setup with Blueprints security features from first use or setup Devices get lost and stolen. Accidents and moments of  Lock or wipe any lost or misused with Blueprints inattention happen, and planning with the assumption that the device centrally  Lock or wipe any lost or misused question is only when someone will lose track of a device is vital.  Set up password requirements to deploy device centrally to all devices  Set up password requirements to deploy In addition, many devices — especially those shared by multiple  Manage and push OS Updates centrally to all devices users — require safeguards against misuse, accidental discovery  Manage and push OS Updates centrally of another’s data, or viewing of inappropriate content. 7 Building Block Three: Encrypting Data

Disc or device encryption. MacOS already has built-in disk encryption: FileVault. You don’t have to add any additional software in To manually enable FileVault: order to encrypt a drive on a Mac. 1. Navigate to System Preferences > Security and Privacy > FileVault FileVault is FIPS 140-2 certified. That means Apple’s 2. Select the toggle switch to turn on the option from there encryption system meets the highest standards for 3. Repeat federal government encryption.

You can enable FileVault manually or remotely: user To enable FileVault across your organization’s devices, leverage an MDM solution to automate, deploy and enforce encryption. You can deploy a Blueprint that will enable can choose the option themselves on one device, FileVault, and IT can retrieve encryption keys in case staff need to de-encrypt the or IT can enable FileVault (using Jamf Now) across device down the road. hundreds or even thousands of devices in one session. 1. Create a Blueprint through a simple selection of options within Jamf Now and select “Enable FileVault” as a setting Jamf Now ensures that encryption keys are centrally Deploy to as many devices as you’rel="tag">d like stored in case you need to uncover data, someone 2. leaves or someone forgets their password. 3. There is no step three

With Jamf Now, if a device is enrolled and has FileVault enabled through the MDM, recovery keys are stored centrally on the device details page in case IT needs to gain access.

What about an Encrypting iOS and iPadOS devices is even easier. iOS and iPadOS devices have built-in encryption as soon as a passcode is set. You can do this individually, or you can do it from Jamf Now, as well as setting up parameters for the passcode such as iPad or iPhone? length and complexity. 8 Building Block Four: Compliance Monitoring

Ensure that protocols and controls are in place on all devices

A security system is only as good as its weakest point. For the best coverage, administrators must monitor the organization’s devices to ensure that every device is updated, has received the most recent patches, and has the correct encryption options enabled.

Monitoring compliance with Jamf Now:

To ensure that all of your organization’s devices are protected Monitoring compliance manually: through Jamf’s inventory feature: To ensure that all of your organization’s devices are protected, you would need to constantly audit devices. 1. View up-to-date, real-time information on all devices simultaneously Physically track down each device 1. 2. Deploy updates and security configurations for any 2. Go into each option individually to ensure that device that is not secured properly Software updates are all current 3. Say it with us: there is no step three Encryption is enabled No one has introduced malware or a virus 3. As updates are only as good as the last update you performed, repeat The ability to see device details helps you know which updates to 4. And repeat send where, and which security features to configure. Blueprints based on department, permissions, device type, or any other 5. This will require constant vigilance and a great deal of buy-in and categorization method mean that you can be as targeted or all- cooperation from end users encompassing in updates as they you choose. 9 Building Block Five: Application Security and Patching

Keeping up-to-date on patches and ensuring the safety of applications Application Security: Apple has made apps as safe as possible to download and use with the following features: It’s vital to know that They’ve adopted a sandbox model: each app lives in its own space and can’t interact with other applications. your applications don’t To allow apps to read or write to others’ shared data requires approval from the user or administrator. contain malware or Apps in the App Store have been vetted to alleviate security risk. This is the only way to get apps on an other hostile code. If iPhone or iPad, which controls security. Confining Mac users to the App Store for their apps is a way that administrators can control security device-wide. you can’t trust your Gatekeeper for macOS is a feature that either users can select or, with an MDM like Jamf, administrators can application sources, configure for all devices. Users or administrators may select from three Gatekeeper options, allowing apps you’ll compromise downloaded from: security. Mac App Store Mac App Store and identified developers Anywhere

Best practice is to allow the Mac App Store and identified Setting up Gatekeeper options manually: Setting up Gatekeeper options with Jamf: developers, especially if you create your own applications or Navigate to: Preferences > Security & In keeping with the pattern, set up and repackage apps. Sign them yourself so they’ll be trusted by 1. Privacy > General deploy a configuration profile to all devices. Gatekeeper. 2. Select from the three options available That’s it. While Mac allows for an ‘anywhere’ option, know that only making Repeat for every device in your organization sure you know where the app is coming from and that it is signed by 3. developer you trust will ensure that it hasn’t been modified in transit. 10 Application Security and Patching

Patching: Options for managing patches manually:

All software, created Educate users to self-update as soon as they receive update notifications on their devices. by humans who make Collect all devices when an app releases a new patch and manually download. mistakes, will have bugs. Catch devices up that are missing patches during your manual compliance monitoring. There is just no way of avoiding this. Humans are, Options for managing patches with Jamf Now: well, human. Jamf Now receives automatic updates and automatic patch notifications, allowing you to deploy patches to all of your organization’s devices. That is why it’s imperative for organizations to implement a strategy for incorporating bug fixes You can delay updates for a period of time to test and verify that all your needed applications will as quickly as possible — especially as bugs can function smoothly with the update to devices. be security vulnerabilities. 11 Building Block Six: Secure Deployments

Conduct secure device and software deployments with Jamf Now and Apple Business Manager

The first step to ensuring secure deployments to all of your devices is to enroll in Apple’s free Apple Business Manager program.

With Apple Business Manager, you can inform Apple of all devices your organization owns, and tell Apple that you want all of these devices managed by your organization’s MDM. Then, when a device enrolled in this program first starts, it will automatically enroll itself in your organization’s MDM – allowing for tighter security controls and swifter security updates. This not only saves time, but also ensures security and eliminates guesswork.

With Jamf Now, you get:

Scalable deployment

Secure Blueprints

MDM made quick and simple

For Mac, iPad and iPhone Device and data security is no laughing matter.

Organizations have the choice to get ahead of possible attacks or thefts by implementing the strongest possible security protection through Apple — and Jamf can make this easier, faster and far more secure than manual security protocols.

Don’t find yourself surprised and scrambling. Take proactive steps to secure your devices and data to ensure the safety and security of your organization — and the individuals who make it.

Sign up for Jamf Now and your first 3 enrolled devices are free - forever!

Sign Up Contact Us

Or contact your preferred authorized reseller of Apple devices.